Wednesday, 29 May 2019

The Price of Loyalty, almost half of UK Office Workers are willing to sell Company's Information

A new report released by Deep Secure revealed 45% of office workers surveyed would sell their company's corporate information. Just £1,000 would be enough to tempt 25% of employees to give away company information, while 5% would give it away for free.

59% of staff admitted at some point to have taken company information from a corporate network or devices, which matches up to known industry trends. 

Common Staff Data Exfiltration Tactics
  • Digital; email, uploading to cloud services and copying to external storage (11%)
  • Using steganography or encryption tools to hide exfiltration (8%)
  • Printing information (11%)
  • Handwriting copying information (9%)
  • Photographing information (8%)
Type of Information Taken
  • Personal Work (19%)
  • Customer Information i.e. contact details, confidential market information, sales pipeline  (11%)
  • Company Assets i.e. passwords to subscription services, company benefits (7%)
The Motivation for staff taking Information?
  • Value for their future career success in their next role (12%)
  • To keep a record of their work (12%)
  • Benefit their career (10%)
  • Financial, specifically paid to do so by an outside third party (8.5%)
The Insider Threat and DLP
Often businesses have their heads in the sand when comes to managing their insider threat, although some do turn to sophisticated IT Data Loss Prevention (DLP) solutions as a silver bullet for managing this risk. However, DLP solutions would be infective against the final four bulleted 'Staff Data Exfiltration' methods listed above.  Particularly the use of cyber tools to steal company information digitally has been democratised by the availability of toolkits on the dark web. For example, steganography toolkits, which enable cybercriminals to encode information into an image or text, can be downloaded for free and guarantee an undetectable route for getting information out of the company network.

Deep Secure CEO Dan Turner concluded “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016. Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he continued. 

The Cost of Staff Data Thefts
The theft of corporate information can hurt business competitiveness and future profit margins, and there are significant financial losses which could be incurred should staff take personal data on mass. UK supermarket giant Morrisons lost a landmark data breach court case in December 2017 took a financial hit after a disgruntled Morrisons' employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. With the GDPR coming into force just over a year ago, the Information Commissioner's Office is now empowered to fine British businesses millions of pounds for mass personal data losses. The Morrisons court case demonstrates UK companies will be brought to book for staff malicious data thefts.

Tuesday, 28 May 2019

UK Pub Chain 'Greene King' Gift Card Website Hacked

Major UK pub chain, Greene King (Bury St. Edmunds), had its gift card website (https://www.gkgiftcards.co.uk) compromised by hackers. The personal data breach was discovered on 14th May 2019 and confirmed a day later. The pub, restaurant and hotel chain informed their impacted customers by email today (28th May 2019).


Greene King said the hackers were able to access:
  • name
  • email address
  • user ID
  • encrypted password
  • address
  • post code
The pub chain did not disclose any further details on how passwords were "encrypted", only to say within their customer disclosure email "
Whilst your password was encrypted, it may still be compromised". It is a long established good industry coding practice for a website application's password storage to use a one-way 'salted' hash function, as opposed to storing customer plaintext passwords in an encrypted form.

No details were provided on how the hackers were able to compromise the gift card website, but there is a clue within Greene King's email statement, which suggests their website had security vulnerabilities which were fixable, "
we have taken action to prevent any further loss of personal information"

The number of customer records impacted by this data breach has also not disclosed. However, as this was a breach of personal information, Greene King was obligated under the DPA\GDPR to report the breach to the Information Commissioner's Office (ICO) as well as its impacted customers. Both Greene King and ICO are yet to release a press statement about this data breach.

This is not the first data breach reported by Greene King in recent times, in November 2016 2,000 staff bank details were accidentally leaked.

Greene King Personal Data Compromise Email to Customers
Dear Customer,
I am writing to inform you about a cyber-security breach affecting our website gkgiftcards.co.uk.

Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, post code and gift card order number. Whilst your password was encrypted, it may still be compromised. It is very important that you change your password on our website, and also any other websites where this password has been used.

When you next visit our website, using the following link (https://www.gkgiftcards.co.uk/user) you will be prompted to change your password. As a consequence of this incident, you may receive emails or telephone calls from people who have obtained your personal information illegally and who are attempting to obtain more personal information from you, especially financial information.

This type of fraud is known as 'phishing'. If you receive any suspicious emails, don't reply. Get in touch with the organisation claiming to have contacted you immediately, to check this claim. Do not reply to or click any links within a suspicious email and do not dial a suspicious telephone number given to you by someone who called you. Only use publicly listed contact details, such as those published on an organisation's website or in a public telephone directory, to contact the organisation to check this claim. At this stage of our investigation, we have no evidence to suggest anyone affected by this incident has been a victim of fraud but we are continuing to monitor the situation. We have reported the matter to the Information Commissioner's Office (ICO).

As soon as we were made aware of the incident, our immediate priority was to close down any exposure, which has been done, and then confirm which customer accounts have been affected. I recognise that this is not the sort of message you want to receive from an organisation which you have provided your personal information to. I want to apologise for what has happened, and reassure you that we have taken action to prevent any further loss of personal information, and to limit any harm which might otherwise occur as a result of this incident.

Phil Thomas
Chief Commercial Officer of Greene King Plc.

Advice
  • Change your Greene King account password immediately, use a unique and strong password.
  • Ensure you have not used the same Greene King credentials (i.e. your email address with the same password) on any other website or app, especially with your email account, and with banking websites and apps. Consider using a password manager to assist you in creating and using unique strong passwords with every website and application you use.
  • Always use Multi-factor Authentication (MFA) when offered. MFA provides an additional level of account protection, which protects your account from unauthorised access should your password become compromised.
  • Check https://haveibeenpwned.com/ to see if your email and password combination is known to have been compromised in a past data breach.
  • Stay alert for customised messages from scammers, who may use your stolen personal information to attempt to con you, by email (phishing), letter and phone (voice & text). Sometimes criminals will pretend to represent the company breached, or another reputable organisation, using your stolen personal account information to convince you they are legit.
  • Never click on links, open attachments or reply to any suspicious emails.  Remember criminals can fake (spoof) their 'sender' email address and email content to replicate a ligament email.

Wednesday, 22 May 2019

The UK Government Huawei Dilemma and the Brexit Factor

In the last couple of days, Google announced it will be putting restrictions on Huawei’s access to its Android operating system, massively threatening Huawei's smartphone market. Meanwhile, UK based chip designer ARM has told its staff to suspend all business activities with Huawei, over fears it may impact ARM's trade within the United States.  Fuelling these company actions is the United States government's decision to ban US firms with working with Huawei over cybersecurity fears.

The headlines this week further ramps up the pressure on the UK government to follow suit, by implementing a similar ban on the use of Huawei smartphones and network devices within the UK, a step beyond their initial 5G critical infrastructure ban announced last month. But is this really about a foreign nation-state security threat? Or is it more about it geo-economics and international politicking?
Huawei: A Security Threat or an Economic Threat?

Huawei Backdoors
It’s no secret that Huawei was founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army, and the company was quickly built with the backing of major Chinese state and military contracts. But the US government, secret services and military are also known to invest heavily in Silicon Valley and US tech firms. In recent weeks there have been a number of accusations about deliberate backdoors placed within Huawei devices, implying the usage of Huawei devices could aid Chinese forces in conducting covert surveillance, and with potentially causing catastrophic impacting cyber attacks.
The reality is all software and IT hardware will have a history of exploitable vulnerabilities, and it is pretty much impossible to determine which could be intentionally placed covert backdoors, especially as an advanced and sophisticated nation-state actor would seek to obfuscate any deliberately placed backdoor as an unintentional vulnerability. 

For instance, the following are critical security vulnerabilities reported within tech made by US firms in just the last 9 days, no suggestion any of these are intentionally placed backdoors:
The more usual approach taken by nation-state intelligence and offensive cyber agencies is to invest in finding the unintentional backdoors already present in software and hardware. The discovery of new and completely unknown 'zero-day' security vulnerability is their primary aim. Non-published zero-days vulnerabilities are extremely valuable, clearly, a value lost if they were to inform the vendors about the vulnerability, as they would seek to quickly mitigate with a software patch.

For instance, the United States National Security Agency (NSA) found and exploited vulnerabilities in Windows without informing Microsoft for over five years, creating a specific hacking tool called EternalBlue, which is able to breach networks. The very same tool that was leaked and used within the devasting WannaCry ransomware attack last year. 

The WhatsApp vulnerability reported last week was another public example of this approach, where a private Israeli firm NSO Group found a serious vulnerability within WhatsAppBut instead of informing Facebook to fix it, NSO created a tool to exploit the vulnerability, which it sold to various governments. The ethics of that is a debate for another day.
The Laws which allows Nation-States to Conduct Cyber Surveillance
The United States has significant surveillance powers with the "Patriot Act", the Freedom Act and spying internationally with FISA. China has its equivalent surveillance powers publicly released called the "2017 National Intelligence Law". This law states Chinese organisations are "obliged to support, cooperate with, and collaborate with national intelligence work". But just like Apple, Microsoft and Google, Huawei has categorically said it would refuse to comply with any such government requests, in a letter in UK MPs in February 2019. Huawei also confirmed "no Chinese law obliges any company to install backdoors", a position they have backed up by an international law firm based in London. The letter went on to say that Huawei would refuse requests by the Chinese government to plant backdoors, eavesdropping or spyware on its telecommunications equipment.

The Brexit Factor
There is a lot of geo-politicking and international economics involved with Huawei situation, given the US government are aggressively acting to readdress their Chinese trade deficit. It appears to be more than just a coincidence, the United States government is choosing now to pile on the pressure on its allies to ban Huawei, the world's largest telecommunications equipment manufacturer. Country-wide Huawei bans are extremely good economic news for US tech giants and exporters like Cisco, Google, and Apple, who have been rapidly losing their global market share to cheaper Huawei products in recent years.

To counter the US economic threat to their business foothold within the UK, Huawei is offering a huge carrot in the form of investing billions into UK based research centres, and a big stick in threatening to walk away from the UK market altogether. The has led to the UK government leadership becoming at odds with the MOD, the latter desire to stand shoulder-to-shoulder with the US and other NATO allies, in banning Huawei devices. This tension exploded with a very public spat between Prime Minister Theresa May and the Secretary of Defence, Gavin Williamson last month. The PM continued to defy the MOD's security warnings and Gavin Williamson was fired for allegedly leaking classified documents about the Huawei UK national security threat, an accusation which he vehemently denies.

Why the UK Gov is stuck between a Rock and Hard Place
The UK government continue to be stuck between a rock and a hard place, playing a balancing act of trying to keep both the United States and China happy, in a bid to score lucrative post-Brexit multi-billion-pound trade deals. This status-quo leaves UK Huawei smartphone consumers and UK businesses using Huawei network devices, caught in the middle. However, due to the relentless US pressure causing regular negative mainstream media headlines about the security of Huawei products, the Chinese tech giant may well be driven out of UK markets without a UK government ban.


HUAWEI NEWS AND THREAT INTELLIGENCE IN MAY 2019

Friday, 17 May 2019

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.

WhatsApp

The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.
iOS

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
Android
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.


Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

Tuesday, 14 May 2019

ZombieLoad: Researchers discover New Hardware Vulnerability in Modern Intel Processors

A brand new processor hardware vulnerability affecting modern Intel CPUs has been uncovered by Bitdefender researchers  Coined "ZombieLoad side-channel processor", the vulnerability defeats the architectural safeguards of the processor and allows unprivileged user-mode applications to steal kernel-mode memory information processed on the affected computer.


A Concerning Impact on Cloud Services
The new vulnerability can be exploited by attackers to leak privileged information data from an area of the processor's memory meant to be strictly off-limits. This flaw could be used in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system. The flaw has an extremely large impact on cloud service providers and within multi-tenant environments, as potentially a 'bad neighbour' could leverage this flaw to read data belonging to other tenants.

The proof of concept code has been shared privately with the vendor, was said to have been successfully tested on Intel Ivy Bridge, Haswell, Skylake and Kaby Lake microarchitectures by the researchers.


Remediation
Since this vulnerability revolves around a hardware design flaw, microcode patches have been available to remediate the flaw. Currently, Bitdefender and industry partners are working on fixes implemented at the hypervisor level.

Industry Security Patches
Similarities with Meltdown and Spectre
Side channel attacks based on speculative execution was in the news with the identification of Meltdown and Spectre CPU vulnerabilities back in early 2018. Since then, variants of side-channel attacks have been occasionally discovered and partially mitigated via microcode and operating system patches. However, as this is a flaw that stems from a hardware design issue, a general fix to plug the hardware vulnerability is impossible.


Thursday, 9 May 2019

Zavvi Champions League Final Competition Winner Email Blunder

Like many Zavvi customers this morning, I received an email titled "Congratulations, you're our Mastercard Competition WINNER!" in my inbox. An amazing prize consisting of two tickets to watch Liverpool and Spurs battle it out in the 2019 UEFA Champions League Final in Madrid. The prize also included two nights at a 4-star hotel, flights, transfers and a £250 prepaid card.
Zavvi Winners Email

Obviously, my initial thought it was a phishing email, decent quality and a well-timed attempt given Liverpool and Tottenham Hotspur were confirmed as finalists after very dramatic semi-final matches on the previous nights. I logged into my Zavvi account directly, then reset my password just in case, and after a bit checking with the embedded links within the email, and research on the Zavvi website, I soon established it was a genuine email from Zavvi.

But before embarking on a Mauricio Pochettino style injury-time winning goal celebration, I had a quick scan of my social media feeds, and it quickly became apparent there were many others believing and bragging they had also won this fantastic prize.

Image result for pochettino
Pochettino Celebrating an unbelievable Spurs Comeback in the Semi-Final

So unless the Athletico Madrid stadium has undergone a huge capacity upgrade, it became obvious that someone at Zavvi had made a huge blunder, resulting in personalised competition winner emails to be sent on mass to thousands of Zavvi customers.

UCL Final Ticket Allocation?

This kind of mass emailing replicates the time-tested phishing technique deployed by cybercriminals. But instead of having a malicious web link, a hidden malware-laced attachment, or the opening dialogue of a social engineering scam, it took its recipients on an emotional rollercoaster which ended with them feeling as flat as the Ajax players, after they lost their place in the final following an injury-time strike by Spurs' Brazilian striker Lucas Moura.
Image result for ajax players heartbreak
Zavvi left their customers feeling as flat as Ajax players did last night

What compounded matters was Zavvi keeping relatively stum about the blunder throughout the day. The e-commerce entertainment retail store published an apology mid-morning on their Facebook page, but after 100s of comments by angry customers, they deleted the post a couple of hours later. It took them almost 8 hours before Zavvi finally followed up to the "Congratulations" email, by emailing an apology which offered a mere 15% discount off their website products. I suspect most Zavvi customer won't be too happy about that, especially those that went through the day believing they had won a once in a lifetime competition.
Zavvi Apology Email - Sent almost 8 hours after the Winners Email

Wednesday, 8 May 2019

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Tuesday, 7 May 2019

Top Tips On Cyber Security for SMEs

Guest article by Damon Culbert of Cyber Security Jobs

Cyber criminals are a part of modern life, from Uber account hacks to major business data breaches, our online identities are rarely safe. And, while big-name companies under threat often make the news, it’s small and medium-sized enterprises who are actually their biggest targets.

Large businesses and government departments may seem like more obvious hacking targets with bigger payoffs, but these organisations can afford much more robust, well-kept and successful IT security measures and cyber security professionals working round the clock. Due to this, cyber criminals are much more likely to swing for easy targets like family businesses.

With the introduction of GDPR across Europe, all businesses are now much more responsible for the personal data they keep, meaning companies of all size can’t really afford to not have at least the basic security measures in place. The UK National Cyber Security Centre (NCSC) have created a list of five principles as part of their Cyber Essentials Scheme. These include:

1. Secure your internet connection
2. Protect from viruses and other malware
3. Control access to your data and services
4. Secure your devices and software
5. Keep your devices and software up to date

All small businesses should know these principles and be putting them into practice, no matter how many staff they employ. In addition to this, here are a couple of other tips to keep hackers at bay which can be simply implemented into your business practices and keep the ICO (Information Commissioner’s Office) from the door.

Invest in Software and Hardware
While just functioning from day to day might be your only priority as a small business owner, investing in your technology will undoubtedly help in the long run. Keeping your software, such as virus software and operation systems, will ensure that any vulnerabilities identified by the creators are covered and there are no gaping holes in your cyber defences.

It might also be a good idea to invest in a good-quality back-up server and cyber insurance, so that if any personal data is every compromised, your operations can simply switch to the back-up server without affecting your business. Cyber insurance will also help keep you covered in case any clients’ personal data is lost and costs are incurred.

Staff Awareness Without the awareness of your staff, no manner of cyber security measures will keep your business safe. 90% of breaches happen because of user interaction, most commonly through phishing scams. Sophisticated phishers can impersonate senior members of staff in your organisation and trick other employees into handing over login details, authorising bogus payments or redirecting bank transfers.

Ensuring that staff are made aware of how to identify phishing scams and even having experienced trainers come in to guide them through cyber security best practice may seem like a cost you can spare but will go far in keeping the walls around your business impenetrable.

Compliance
The GDPR states that businesses who suffer a breach must alert the ICO and any customers who may have been affected within 72 hours of discovery. This is vital, and although fines could still be handed out for failure to prevent a breach, these fines will be much higher if the ICO discovers that you kept the information to yourself for longer than the 72 hour period.

The average time it takes for an organisation to discover a breach is 229 days, so the actual time it takes for the breach to come to your attention isn’t going to work too poorly in your favour. However, regular reporting is likely to result in earlier identification which will not only help you save time and money, but will also be a great trust signal to your clients that you take protecting their data seriously.

Pre-emptive planning
Security breaches are a ‘when’ not ‘if’ problem, so planning ahead is a necessity of modern business. 74% of SMEs don’t have any money saved to deal with an attack and 40% wouldn’t even know who to contact in the event of a breach. Having comprehensive disaster management plans in place will help keep you and your clients safe, keep your reputation in top shape and make sure you don’t have to pay out major money in the worst case scenario.

Plan of Action
The best thing for SMEs to do is to start small and keep building their defences as time goes on, helping keep costs down and customers happy. Here’s a plan of action to get started:

1. Start with the basics: follow the Cyber Essentials Scheme and bake these principles into your daily operations
2. Get an understanding of the risks to your business: check out the NCSC’s ’10 Steps to Cyber Security’ for further detail than the Cyber Essentials
3. Know your business: if you still feel your data isn’t safe, research more comprehensive frameworks like the IASME standard developed for small businesses
4. Once you have a complete security framework in place, develop on the NCSC’s advice with more sophisticated frameworks, such as the NIST framework for cybersecurity.

Wednesday, 1 May 2019

Cyber Security Roundup for April 2019

The UK government controversially gave a green light to Huawei get involved with the building of the UK's 5G networks, although the Chinese tech giant role will be limited to non-sensitive areas of the network, such as providing antennas. This decision made by Theresa May came days after US intelligence announced Huawei was Chinese state funded, and amidst reports historical backdoors in Huawei products, stoking up the Huawei political and security row even further this month, and has resulted in the UK Defence Secretary, Gavin Williamson, being sacked. 
The National Cyber Security Centre (NCSC) launched a free online tool called "Exercise in a Box", designed by the UK cyber intelligence boffins to help organisations prepare in managing major cyber attacks.  The premise, is the tool will help UK organisations avoid scenarios such as the 2017’s Wannacry attacks, which devastated NHS IT systems and placed patient lives at risk.
 
German drug manufacturing giant, Beyer, found a malware infection, said to originate from a Chinese group called "Wicked Panda".  The malware in question was WINNIT, which is known in the security industry and allows remote access into networks, allowing hackers to deliver further malware and to conduct exploits. In my view, the presence of WINNIT is a sure sign a covert and sustained campaign by a sophisticated threat actor, likely focused on espionage given the company's sector.  Beyer stressed there was no evidence of data theft, but were are still investigating. 
 
Another manufacturing giant severely hit by a cyber attack this month was Aebi Schmidt. A ransomware outbreak impacted its business' operations globally, with most of the damage occurring at their European base. The ransomware wasn't named, but it left multiple Windows systems, on their presumably flat network infrastructure, paralyzed.
 
Facebook may have announced the dawn of their "privacy evolution" at the end of April, but their privacy woes still continue, after Upguard researchers found and reported 540 Million Facebook member records on an unsecured AWS S3 bucket. The "Cultura Colectiva" dataset contained 146GB of data with 540 million records showing comments, likes, reactions, account names, Facebook IDs and more. Looks like Facebook really have their work cut in restoring their consumer's faith in protecting their privacy.
 
UK businesses saw a significant increase in cyber attacks in 2019 according to a report by insurer Hiscox, with 55% of respondents reporting they had faced a cyber attack in 2019, up from 40% from last year.
 
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111".  Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.

The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them. 
 
Microsoft Outlook.com, Hotmail and MSN users are reported as having their accounts compromised. TechCrunch revealed the breach was caused due to the hackers getting hold of a customer support tech's login credentials. Over two million WiFi passwords were found exposed on an open database by the developer of WiFi Finder. The WiFi Finder App helps to find and log into hotspots.  Two in every three hotel websites leak guest booking details and personal data according to a report. Over 1,500 hotels in 54 countries failed to protect user information.
 
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.

I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.

BLOG
 NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS